Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High0
Medium4
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-01-08

CVE-2025-13722 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.

PLUGIN Conversational Form Builder

CVE-2025-13722

MEDIUM CVSS 5.3 2026-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13748 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.

PLUGIN Conversational Form Builder

CVE-2025-13748

MEDIUM CVSS 5.3 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9260 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused…

PLUGIN Conversational Form Builder

CVE-2025-9260

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-22

CVE-2024-13666 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.

PLUGIN Conversational Form Builder

CVE-2024-13666

MEDIUM CVSS 5.3 2025-03-22
Open Full Technical Breakdown
Scroll to top